Open buraglio opened 3 years ago
I'm not sure how to include that module. I thought it would be a compile option, but I'm not seeing it. This is the output of ./configure -h
for Unbound 1.15.0:
`configure' configures unbound 1.15.0 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/unbound]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-checking Enable warnings, asserts, makefile-dependencies
--enable-debug same as enable-checking
--disable-flto Disable link-time optimization (gcc specific option)
--enable-pie Enable Position-Independent Executable (eg. to fully
benefit from ASLR, small performance penalty)
--enable-relro-now Enable full relocation binding at load-time (RELRO
NOW, to protect GOT and .dtor areas)
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-rpath disable hardcoded rpath (default=enabled)
--disable-largefile omit support for large files
--enable-systemd compile with systemd support
--enable-alloc-checks enable to memory allocation statistics, for debug
purposes
--enable-alloc-lite enable for lightweight alloc assertions, for debug
purposes
--enable-alloc-nonregional
enable nonregional allocs, slow but exposes regional
allocations to other memory purifiers, for debug
purposes
--disable-swig-version-check
Disable swig version check to build python modules
with older swig even though that is unreliable
--disable-sha1 Disable SHA1 RRSIG support, does not disable nsec3
support
--disable-sha2 Disable SHA256 and SHA512 RRSIG support
--enable-subnet Enable client subnet
--disable-gost Disable GOST support
--disable-ecdsa Disable ECDSA support
--disable-dsa Disable DSA support
--disable-ed25519 Disable ED25519 support
--disable-ed448 Disable ED448 support
--enable-event-api Enable (experimental) pluggable event base
libunbound API installed to unbound-event.h
--enable-tfo-client Enable TCP Fast Open for client mode
--enable-tfo-server Enable TCP Fast Open for server mode
--enable-static-exe enable to compile executables statically against
(event) uninstalled libs, for debug purposes
--enable-fully-static enable to compile fully static
--enable-lock-checks enable to check lock and unlock calls, for debug
purposes
--enable-allsymbols export all symbols from libunbound and link binaries
to it, smaller install size but libunbound export
table is polluted by internal symbols
--enable-dnstap Enable dnstap support (requires protobuf-c)
--enable-dnscrypt Enable dnscrypt support (requires libsodium)
--enable-cachedb enable cachedb module that can use external cache
storage
--enable-ipsecmod Enable ipsecmod module that facilitates
opportunistic IPsec
--enable-ipset enable ipset module
--disable-explicit-port-randomisation
disable explicit source port randomisation and rely
on the kernel to provide random source ports
--enable-linux-ip-local-port-range
Define this to enable use of
/proc/sys/net/ipv4/ip_local_port_range as a default
outgoing port range. This is only for the libunbound
on Linux and does not affect unbound resolving
daemon itself. This may severely limit the number of
available outgoing ports and thus decrease
randomness. Define this only when the target system
restricts (e.g. some of SELinux enabled
distributions) the use of non-ephemeral ports.
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-conf-file=path Pathname to the Unbound configuration file
--with-run-dir=path set default directory to chdir to (by default dir
part of cfg file)
--with-chroot-dir=path set default directory to chroot to (by default same
as run-dir)
--with-share-dir=path set default directory with shared data (by default
same as share/unbound)
--with-pidfile=filename set default pathname to unbound pidfile (default
run-dir/unbound.pid)
--with-rootkey-file=filename
set default pathname to root key file (default
run-dir/root.key). This file is read and written.
--with-rootcert-file=filename
set default pathname to root update certificate file
(default run-dir/icannbundle.pem). This file need
not exist if you are content with the builtin.
--with-username=user set default user that unbound changes to (default
user is unbound)
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
--with-aix-soname=aix|svr4|both
shared library versioning (aka "SONAME") variant to
provide on AIX, [default=aix].
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot[=DIR] Search for dependent libraries within DIR (or the
compiler's sysroot if not specified).
--with-pthreads use pthreads library, or --without-pthreads to
disable threading support.
--with-solaris-threads use solaris native thread library.
--with-syslog-facility=LOCAL0 - LOCAL7
set SYSLOG_FACILITY, default DAEMON
--with-dynlibmodule build dynamic library module, or
--without-dynlibmodule to disable it. (default=no)
--with-pyunbound build PyUnbound, or --without-pyunbound to skip it.
(default=no)
--with-pythonmodule build Python module, or --without-pythonmodule to
disable script engine. (default=no)
--with-nss=path use libnss instead of openssl, installed at path.
--with-nettle=path use libnettle as crypto library, installed at path.
--with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl
/usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
/usr or specify like /usr/include/openssl11)
--with-libbsd Use portable libbsd functions
--with-deprecate-rsa-1024
Deprecate RSA 1024 bit length, makes that an
unsupported key, for use when OpenSSL FIPS refuses
1024 bit verification
--with-libevent=pathname
use libevent (will check /usr/local /opt/local
/usr/lib /usr/pkg /usr/sfw /usr or you can specify
an explicit path). Slower, but allows use of large
outgoing port ranges.
--with-libexpat=path specify explicit path for libexpat.
--with-libhiredis=path specify explicit path for libhiredis.
--with-libnghttp2=path specify explicit path for libnghttp2.
--with-dnstap-socket-path=pathname
set default dnstap socket path
--with-protobuf-c=path Path where protobuf-c is installed, for dnstap
--with-libsodium=path Path where libsodium is installed, for dnscrypt
--with-libmnl=path specify explicit path for libmnl.
--with-libunbound-only do not build daemon and tool programs
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
YACC The `Yet Another Compiler Compiler' implementation to use.
Defaults to the first program found out of: `bison -y', `byacc',
`yacc'.
YFLAGS The list of arguments that will be passed by default to $YACC.
This script will default YFLAGS to the empty string to avoid a
default value of `-d' given by some make applications.
LT_SYS_LIBRARY_PATH
User-defined run-time library search path.
PKG_CONFIG path to pkg-config utility
PKG_CONFIG_PATH
directories to add to pkg-config's search path
PKG_CONFIG_LIBDIR
path overriding pkg-config's built-in search path
SYSTEMD_CFLAGS
C compiler flags for SYSTEMD, overriding pkg-config
SYSTEMD_LIBS
linker flags for SYSTEMD, overriding pkg-config
SYSTEMD_DAEMON_CFLAGS
C compiler flags for SYSTEMD_DAEMON, overriding pkg-config
SYSTEMD_DAEMON_LIBS
linker flags for SYSTEMD_DAEMON, overriding pkg-config
PYTHON_VERSION
The installed Python version to use, for example '2.3'. This
string will be appended to the Python interpreter canonical
name.
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
I did some digging on this as well and it looked to me like it was a default. I saw some references to it in older versions of unbound, but it works with the standard install in packaged ubuntu debs. I am fairly unfamiliar with building docker images, but I know linux and unbound well enough, and am happy to help test if that is useful.
That would be great. I can handle the Docker part.
You may be able to tell from the package management system what Ubuntu included in the package to support Unbound. I wonder if this is a missing Linux package in the image rather than a compile time flag.
I didn’t have much like finding info about this in the Unbound docs.
On Feb 14, 2022, at 3:55 PM, Nick Buraglio @.***> wrote:
I did some digging on this as well and it looked to me like it was a default. I saw some references to it in older versions of unbound, but it works with the standard install in packaged ubuntu debs. I am fairly unfamiliar with building docker images, but I know linux and unbound well enough, and am happy to help test if that is useful.
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
Yes, this is why I am exercising this kind of thing as much as possible. The more exposure these codepaths get, the better.
I have the latest version of unbound running on a variety of environments.... This docker container, as in this comparison, I'm using a Raspberry Pi 4B (8GB).
When I look at the install in the docker container, I get this: ``root@DiskStation:~# docker exec -it DNS-unbound /bin/bash root@DNS-unbound:/opt/unbound# unbound -V Version 1.15.0
Configure line: --disable-dependency-tracking --prefix=/opt/unbound --with-pthre ads --with-username=_unbound --with-ssl=/opt/openssl --with-libevent --with-libn ghttp2 --enable-dnstap --enable-tfo-server --enable-tfo-client --enable-event-ap i Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 respip validator iterator TCP Fastopen feature available
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound /issues `` From what I see there, the dns64 module appears to be linked in.
Now looking at my Pi information: ``root@Raspberry-Pi-4:~# unbound -V Version 1.15.0
Configure line: --prefix=/usr --sysconfdir=/etc --disable-static --with-libevent=/opt/libevent --with-pidfile=/run/unbound.pid Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1m 14 Dec 2021 Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues``
In regards to the DNS64 module, it looks the same...
So, are we sure this is a compile issue?
This article provides a good explanation of DNS64.... http://www.hit.bme.hu/~lencse/publications/STS-2015-DNS64-revised.pdf
I'm no expert on this topic, but one of the things I found in there that stood out is this: Unbound does not provide the DNS64 functionality when it is set up as a forwarder, thus it was tested only as a recursor.
Assuming this is still the case, the issue may be your configuration. But you say it works under other OS, so I'm not sure...
When you include the DNS64 commands in the unbound configuration, did you run a configuration check? what errors does the configuration check find?
When attempting to use this docker image as a DNS64 resolver the following errors are thrown:
It appears as if the DNS64 module is not compiled in. It would be a great addition to this docker image, any chance you could add it?
relevant configuration in unbound.conf is
When removed, the unbound instance works great.